ANSPDCP (Romania) - Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.

From GDPRhub
ANSPDCP - Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 12.05.2023
Fine: 2,500 EUR
Parties: NN Asigurări de Viață S.A.
NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A.
National Case Number/Name: Fina against NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

Following a data breach, the Romanian DPA found that controllers had not sufficiently tested their online app before deployment and did not carry tests and assessments leading to unauthorised disclosure of personal data in violation of Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A., two insurance providers (controllers) owned by the same mother company were using an app (NN Direct) to facilitate the services offered to their customers.

Due to a software change in the app, a data breach occured. As result, some users were granted unauthorised access to the personal data of two other users (such as name, personal number, address, email, phone number).

The controllers notified the breach to the Romanian DPA which started an investigation for each controller. This investigation showed that the controllers did not test the app for its deployment after the software change and that none of them implemented periodic and documented tests and assessments.

Holding[edit | edit source]

The Romanian DPA concluded that the controllers did not implement sufficient security measures, in breach of Articles 32 (1) b), d) and 32 (2) GDPR. NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. was fined 1500€, while NN Asigurări de Viață S.A. was fined 1000€. Additionally, the DPA ordered both controllers to implement sufficient technical and organisational measures that will enable regular and documented tests of their application.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

12.05.2023

New sanctions



The National Supervisory Authority completed, in April 2023, two investigations of insurance operators.

The investigations were started as a result of data security breach notifications that were sent by NN Pensii Societate de Administrare a une Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A.

As such, it was found that:

The operator of NN Pensii Societate de Administrate a une Fund de Pensii Administrat Privat S.A. violated the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679 and was fined in the amount of 7,407.00 lei (the equivalent of 1500 euros). The operator NN Asigurări de Viață S.A. violated the provisions of art. 32 para. (1) lit. b) and d) and art. 32 para. (2) of Regulation (EU) 2016/679 and was penalized with a fine of 4,938.00 lei (the equivalent of 1000 euros).

1. As part of the investigation carried out at the operator NN Pensii Societate de Administratre of a Pension Fund Administrat Privat S.A. it was found that he made a series of changes to the configuration of the equipment that ensures the temporary storage of the web pages of the NN Direct application, made available to customers, the option to keep the web pages in its memory being activated. As such, this situation resulted in some users of the operator's application viewing, for a period of time, personal data that did not belong to them.

From the checks carried out, it turned out that this situation led to unauthorized access and the loss of confidentiality of personal data (surname, first name, personal numerical code, address in the identity card, mailing address, e-mail address and telephone number) 2 persons being affected by the incident. It also emerged that, prior to making the NN Direct application available to the public, the device-specific configuration changes that ensure the temporary memory of its web pages were not subjected to an operator-level testing process.

The National Supervisory Authority found that the operator NN Pensii Societate de Administratre of a Pension Fund Administrat Privat S.A. has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure confidentiality, integrity, continued availability and resilience of processing systems and services and a process for periodic testing, evaluation and assessment of effectiveness technical and organizational measures to guarantee processing security.

At the same time, the operator was ordered and the corrective measure to implement a procedured and promoted test mechanism at regular time intervals through which tests are carried out on the possible configurations of the active applications available to the clients of NN Pensii Societate de Administrate a une Fond by Pensii Administrat Privat S.A., respectively documenting the results by applying remedial measures in order to avoid similar security incidents.

2. As part of an investigation at the operator NN Asigurări de Viață S.A. it was found that he made a series of changes to the configuration of the equipment that ensures the temporary storage of web pages of the NN Direct application, made available to customers, with the option to keep web pages in its memory being activated. Therefore, it was possible for some users of the operator's application to view, for a period of time, personal data that did not belong to them.

As a result of the checks within the investigation, it turned out that this situation led to unauthorized access and the loss of confidentiality of personal data (surname, first name, personal numerical code, address in the identity card, mailing address, e-mail address and phone number). At the same time, it emerged that, before making the NN Direct application available to the public, its changes were not subjected to a testing process by the operator.

The National Supervisory Authority found that the operator NN Asigurări de Viață S.A. has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure confidentiality, integrity, continued availability and resilience of processing systems and services and a process for periodic testing, evaluation and assessment of effectiveness technical and organizational measures to guarantee processing security.

At the same time, the operator was ordered and the corrective measure to implement a procedured and promoted testing mechanism at regular time intervals, through which tests are carried out on the possible configurations of the active applications available to NN Asigurări de Viață S.A. customers, respectively documenting the results by applying remedial measures to avoid similar security incidents.

Legal and Communication Department

A.N.S.P.D.C.P